Re: Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)


Steve Kilbane
 

Hi Shane,

As a comment on the revised slides, slide 10 doesn't work for me, since it shows a cycle, but you wouldn't go from your intended end-point (audit done) back to "just" OpenChain compliance without SBOM or automation.

As noted on the call, these aren't linear journeys, and an organisation could collect these plot tokens by wandering the map in whichever order they choose. They may add external audit first, then automation, then use that automation to produce their SBOMs.

I did like the idea of identifying them as best practices rather than "levels", because they can be adopted in any order. I did wonder whether it made sense to have a receiver award the SBOM badge to the supplier, but that might be problematic with respect to confidential business arrangements.

It would be nice if there were an SBOM badge that could be awarded to open source projects that are producing suitable output - uses SPDX Ids, includes an SBOM - but that's probably more down to the SPDX project than the OpenChain project.

steve

-----Original Message-----
From: main@lists.openchainproject.org <main@lists.openchainproject.org> On Behalf Of Shane Coughlan
Sent: 24 August 2021 08:00
To: OpenChain Main <main@lists.openchainproject.org>
Cc: OpenChain Specification <specification@lists.openchainproject.org>; OpenChain Japan <japan-wg@lists.openchainproject.org>; OpenChain Korea <korea-wg@lists.openchainproject.org>; OpenChain Germany <germany-wg@lists.openchainproject.org>; OpenChain UK <uk-wg@lists.openchainproject.org>; OpenChain Partners <partners@lists.openchainproject.org>; OpenChain Automotive <openchain-automotive-work-group@groups.io>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>; OpenChain India <india-wg@lists.openchainproject.org>
Subject: Re: [openchain] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

[External]

Thanks for the great feedback Kate and Mark (on this list) and loads of other people (on our call).

In broad strokes:
(1) we decided to make it *very* clear this was not about variants of OpenChain ISO 5230 but rather about where companies can go next after adoption
(2) we decided to pull back from “quality grading” by the project and instead providing case studies and examples to help inspire companies

Check out the latest (and dramatically overhauled) edit here:
https://urldefense.com/v3/__https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc__;!!A3Ni8CS0y2Y!rSyuQmZ37tkXPfAEMCXKiRLUbYiVBKpseV5yI3tiH0QCwRW-ScqwcILPLBoN9cDiU-x-$

On Aug 23, 2021, at 23:06, Mark Gisi <mark.gisi@windriver.com> wrote:

One of the core guiding principles for the OpenChain Specification is to focus on the what and why of compliance (and avoid the how and when). This is highlighted in the introduction of the spec. That is avoid being prescriptive.

It was always understood that the OpenChain Project would foster the creation of various materials around best practices to educate how other companies achieve conformance. That is - to describe the prescriptive ways of others. This has not been done with any formal structure yet within the project. The proposed levels approach is the first attempt to do this which I commend. What I disagree with is mixing the specification to tightly with prescriptive ways because it undermines a core principle and purpose of the specification.

I suggest we create a complimentary best practice program/guide that encourages companies to consider various prescriptive levels. That is, have Best Practice Levels (bronze, silver, gold, …) but DON’T confuse it with the spec (which is: about what and why, practice neutral, non-prescriptive, …). For instance, have a program with its own logo (for example - see attached)

best,

Mark Gisi
Director, Open Source Program Office
Empowering Customers to Prosper using Open Source
(510) 749-2016





-----Original Message-----
From: specification@lists.openchainproject.org <specification@lists.openchainproject.org> On Behalf Of Shane Coughlan
Sent: Monday, August 23, 2021 1:43 AM
To: OpenChain Main <main@lists.openchainproject.org>
Cc: OpenChain Japan <japan-wg@lists.openchainproject.org>; OpenChain Korea <korea-wg@lists.openchainproject.org>; OpenChain Germany <germany-wg@lists.openchainproject.org>; OpenChain India <india-wg@lists.openchainproject.org>; OpenChain UK <uk-wg@lists.openchainproject.org>; OpenChain Partners <partners@lists.openchainproject.org>; OpenChain Automotive <openchain-automotive-work-group@groups.io>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>; OpenChain Specification <specification@lists.openchainproject.org>
Subject: [specification] Proposal - OpenChain Quality of Conformance Assessment Levels (including a sub-proposal for tooling quality assessment levels)

[Please note: This e-mail is from an EXTERNAL e-mail address]

Dear all

During a recent OpenChain Japan Planning meeting we discussed the challenge of “next steps” in OpenChain ISO 5230 conformance. Our initial goal of adoption in the supply chain is well underway. Our basic concept of “raising all the boats” is working. But now it is time to talk in more detail about “raising the boats to where?”

From its launch in October 2016 until today, the OpenChain Project has been based on the concept of continual improvement (or Kaizen). We can now provide a “map” to help guide companies in this process, and to help customer companies judge the sophistication of suppliers who have adopted OpenChain ISO 5230.

Attached is a slide-deck exploring how this can be done. We will be discussing this in the OpenChain bi-weekly global work team meeting today (Monday 23rd of August) at 14:00 UTC. All welcome. No registration.
https://urldefense.com/v3/__https://zoom.us/j/4377592799__;!!A3Ni8CS0y2Y!rSyuQmZ37tkXPfAEMCXKiRLUbYiVBKpseV5yI3tiH0QCwRW-ScqwcILPLBoN9QooyMCh$

You can add comments to this document online:
https://urldefense.com/v3/__https://1drv.ms/p/s!AsXJVqby5kpnkShuUGG9M2Ki9MEc__;!!A3Ni8CS0y2Y!rSyuQmZ37tkXPfAEMCXKiRLUbYiVBKpseV5yI3tiH0QCwRW-ScqwcILPLBoN9cDiU-x-$

Regards

Shane












<ocbp-logo.jpg>

Join main@lists.openchainproject.org to automatically receive all group messages.